Malware Analysis Report

2025-03-15 01:41

Sample ID 230910-md3r8agc61
Target 553ed1c32456c7ba998e802e16f976818eb109e7b194315f53a6f2348fe043deexe_JC.exe
SHA256 553ed1c32456c7ba998e802e16f976818eb109e7b194315f53a6f2348fe043de
Tags
healer redline smokeloader virad backdoor dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

553ed1c32456c7ba998e802e16f976818eb109e7b194315f53a6f2348fe043de

Threat Level: Known bad

The file 553ed1c32456c7ba998e802e16f976818eb109e7b194315f53a6f2348fe043deexe_JC.exe was found to be: Known bad.

Malicious Activity Summary

healer redline smokeloader virad backdoor dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

SmokeLoader

Healer

RedLine

Detects Healer an antivirus disabler dropper

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Uses Task Scheduler COM API

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 10:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 10:21

Reported

2023-09-10 10:24

Platform

win7-20230831-en

Max time kernel

122s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\553ed1c32456c7ba998e802e16f976818eb109e7b194315f53a6f2348fe043deexe_JC.exe"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2976 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\553ed1c32456c7ba998e802e16f976818eb109e7b194315f53a6f2348fe043deexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2976 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\553ed1c32456c7ba998e802e16f976818eb109e7b194315f53a6f2348fe043deexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2976 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\553ed1c32456c7ba998e802e16f976818eb109e7b194315f53a6f2348fe043deexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2976 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\553ed1c32456c7ba998e802e16f976818eb109e7b194315f53a6f2348fe043deexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2976 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\553ed1c32456c7ba998e802e16f976818eb109e7b194315f53a6f2348fe043deexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2976 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\553ed1c32456c7ba998e802e16f976818eb109e7b194315f53a6f2348fe043deexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2976 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\553ed1c32456c7ba998e802e16f976818eb109e7b194315f53a6f2348fe043deexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2976 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\553ed1c32456c7ba998e802e16f976818eb109e7b194315f53a6f2348fe043deexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2976 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\553ed1c32456c7ba998e802e16f976818eb109e7b194315f53a6f2348fe043deexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2976 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\553ed1c32456c7ba998e802e16f976818eb109e7b194315f53a6f2348fe043deexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2976 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\553ed1c32456c7ba998e802e16f976818eb109e7b194315f53a6f2348fe043deexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2976 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\553ed1c32456c7ba998e802e16f976818eb109e7b194315f53a6f2348fe043deexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2976 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\553ed1c32456c7ba998e802e16f976818eb109e7b194315f53a6f2348fe043deexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2976 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\553ed1c32456c7ba998e802e16f976818eb109e7b194315f53a6f2348fe043deexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1492 wrote to memory of 2068 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 1492 wrote to memory of 2068 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 1492 wrote to memory of 2068 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 1492 wrote to memory of 2068 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 1492 wrote to memory of 2068 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 1492 wrote to memory of 2068 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 1492 wrote to memory of 2068 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\553ed1c32456c7ba998e802e16f976818eb109e7b194315f53a6f2348fe043deexe_JC.exe

"C:\Users\Admin\AppData\Local\Temp\553ed1c32456c7ba998e802e16f976818eb109e7b194315f53a6f2348fe043deexe_JC.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 200

Network

N/A

Files

memory/1492-0-0x0000000000400000-0x0000000000529000-memory.dmp

memory/1492-1-0x0000000000400000-0x0000000000529000-memory.dmp

memory/1492-2-0x0000000000400000-0x0000000000529000-memory.dmp

memory/1492-3-0x0000000000400000-0x0000000000529000-memory.dmp

memory/1492-4-0x0000000000400000-0x0000000000529000-memory.dmp

memory/1492-5-0x0000000000400000-0x0000000000529000-memory.dmp

memory/1492-7-0x0000000000400000-0x0000000000529000-memory.dmp

memory/1492-6-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1492-9-0x0000000000400000-0x0000000000529000-memory.dmp

memory/1492-11-0x0000000000400000-0x0000000000529000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-10 10:21

Reported

2023-09-10 10:24

Platform

win10v2004-20230831-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\553ed1c32456c7ba998e802e16f976818eb109e7b194315f53a6f2348fe043deexe_JC.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3941763.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9129473.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9611666.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3218442.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4648 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\553ed1c32456c7ba998e802e16f976818eb109e7b194315f53a6f2348fe043deexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4648 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\553ed1c32456c7ba998e802e16f976818eb109e7b194315f53a6f2348fe043deexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4648 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\553ed1c32456c7ba998e802e16f976818eb109e7b194315f53a6f2348fe043deexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4648 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\553ed1c32456c7ba998e802e16f976818eb109e7b194315f53a6f2348fe043deexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4648 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\553ed1c32456c7ba998e802e16f976818eb109e7b194315f53a6f2348fe043deexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4648 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\553ed1c32456c7ba998e802e16f976818eb109e7b194315f53a6f2348fe043deexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4648 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\553ed1c32456c7ba998e802e16f976818eb109e7b194315f53a6f2348fe043deexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4648 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\553ed1c32456c7ba998e802e16f976818eb109e7b194315f53a6f2348fe043deexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4648 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\553ed1c32456c7ba998e802e16f976818eb109e7b194315f53a6f2348fe043deexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4648 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\553ed1c32456c7ba998e802e16f976818eb109e7b194315f53a6f2348fe043deexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4684 wrote to memory of 4328 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3941763.exe
PID 4684 wrote to memory of 4328 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3941763.exe
PID 4684 wrote to memory of 4328 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3941763.exe
PID 4328 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3941763.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9129473.exe
PID 4328 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3941763.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9129473.exe
PID 4328 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3941763.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9129473.exe
PID 1576 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9129473.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9611666.exe
PID 1576 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9129473.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9611666.exe
PID 1576 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9129473.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9611666.exe
PID 3036 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9611666.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3218442.exe
PID 3036 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9611666.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3218442.exe
PID 3036 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9611666.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3218442.exe
PID 1288 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3218442.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8230283.exe
PID 1288 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3218442.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8230283.exe
PID 1288 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3218442.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8230283.exe
PID 1976 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8230283.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1976 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8230283.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1976 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8230283.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1976 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8230283.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1976 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8230283.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1976 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8230283.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1976 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8230283.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1976 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8230283.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1976 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8230283.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1976 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8230283.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1976 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8230283.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1288 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3218442.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9802418.exe
PID 1288 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3218442.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9802418.exe
PID 1288 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3218442.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9802418.exe
PID 2956 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9802418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2956 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9802418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2956 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9802418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2956 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9802418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2956 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9802418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2956 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9802418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2956 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9802418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2956 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9802418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2956 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9802418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2956 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9802418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3036 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9611666.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0268471.exe
PID 3036 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9611666.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0268471.exe
PID 3036 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9611666.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0268471.exe
PID 944 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0268471.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 944 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0268471.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 944 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0268471.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 944 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0268471.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 944 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0268471.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 944 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0268471.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1576 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9129473.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1327236.exe
PID 1576 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9129473.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1327236.exe
PID 1576 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9129473.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1327236.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\553ed1c32456c7ba998e802e16f976818eb109e7b194315f53a6f2348fe043deexe_JC.exe

"C:\Users\Admin\AppData\Local\Temp\553ed1c32456c7ba998e802e16f976818eb109e7b194315f53a6f2348fe043deexe_JC.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4648 -ip 4648

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4648 -s 288

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3941763.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3941763.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9129473.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9129473.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9611666.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9611666.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3218442.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3218442.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8230283.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8230283.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1976 -ip 1976

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 584

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9802418.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9802418.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2956 -ip 2956

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5000 -ip 5000

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 540

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0268471.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0268471.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 944 -ip 944

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 944 -s 564

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1327236.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1327236.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 126.177.238.8.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.231:80 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.231:80 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp
FI 77.91.124.82:19071 tcp

Files

memory/4684-0-0x0000000000400000-0x0000000000529000-memory.dmp

memory/4684-1-0x0000000000400000-0x0000000000529000-memory.dmp

memory/4684-2-0x0000000000400000-0x0000000000529000-memory.dmp

memory/4684-3-0x0000000000400000-0x0000000000529000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3941763.exe

MD5 c7389a9fa088544dec7a5401585f5695
SHA1 49691d91b4aa381c1fca4a804bd9b53d5e3c6ee1
SHA256 6a734621c4dec0bc847a43d44f018a009a50af2bcdd817d08ec660ebdcd2107c
SHA512 c2b914a17684ee384c61abd10eab6e80949dca10702184da21e706e35857c65754ec00c1c60018f3289de24681f5c4415f170b3212599407d8dc0633171dfdab

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3941763.exe

MD5 c7389a9fa088544dec7a5401585f5695
SHA1 49691d91b4aa381c1fca4a804bd9b53d5e3c6ee1
SHA256 6a734621c4dec0bc847a43d44f018a009a50af2bcdd817d08ec660ebdcd2107c
SHA512 c2b914a17684ee384c61abd10eab6e80949dca10702184da21e706e35857c65754ec00c1c60018f3289de24681f5c4415f170b3212599407d8dc0633171dfdab

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9129473.exe

MD5 27a1426c1040a316148a410e850df60b
SHA1 5918c01db1f7a03000392970bbd044bc99a24fca
SHA256 f46c132fa69598f01373da2bcd1829c395732fed1ef110e42db6cc663df3a60a
SHA512 60b5f9b1cf16d7cace6ab3e3e0c9d35b370eedece87ffb17db7f57f8d6da2c1fc3ea1234cdf494eebcea2a301c3fd7dd8e4470e4250a1755ff9636749acaf977

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9129473.exe

MD5 27a1426c1040a316148a410e850df60b
SHA1 5918c01db1f7a03000392970bbd044bc99a24fca
SHA256 f46c132fa69598f01373da2bcd1829c395732fed1ef110e42db6cc663df3a60a
SHA512 60b5f9b1cf16d7cace6ab3e3e0c9d35b370eedece87ffb17db7f57f8d6da2c1fc3ea1234cdf494eebcea2a301c3fd7dd8e4470e4250a1755ff9636749acaf977

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9611666.exe

MD5 abb0eb2a4438957e1e2203f707709ea8
SHA1 a9aed70a9b433ea4de3c0dd95ffc42f0303c89b0
SHA256 fd471016f40d41bae6c505c79660ef2d08929aaa46d9cbe32fac5f501cd62704
SHA512 88338ceef7a78d37e21cedb5df6e7b1ba15732339103f45692623ace30f7e0a0d9bce1e0380ed9238e9e7ac88cbc0598fc8844cb169ff8b9df143f39ee9c3ce2

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9611666.exe

MD5 abb0eb2a4438957e1e2203f707709ea8
SHA1 a9aed70a9b433ea4de3c0dd95ffc42f0303c89b0
SHA256 fd471016f40d41bae6c505c79660ef2d08929aaa46d9cbe32fac5f501cd62704
SHA512 88338ceef7a78d37e21cedb5df6e7b1ba15732339103f45692623ace30f7e0a0d9bce1e0380ed9238e9e7ac88cbc0598fc8844cb169ff8b9df143f39ee9c3ce2

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3218442.exe

MD5 ce819c4f2e76a115a197744d234d0aab
SHA1 8df9bfb5baa1ae922f419d4455ba21cfda8d3c06
SHA256 7fdd6fabc2e7a2e53c668d7465e3ecef9f9104bad409e321ed8c402bf76db171
SHA512 f4d676a1307f4c337bb10cf752ca8fd344ef1cdbcce34f55568e42bad819170d7f9d3e674a3525c20e8f2102869b6f04855ec315f95507bf3b463e39e4930abd

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3218442.exe

MD5 ce819c4f2e76a115a197744d234d0aab
SHA1 8df9bfb5baa1ae922f419d4455ba21cfda8d3c06
SHA256 7fdd6fabc2e7a2e53c668d7465e3ecef9f9104bad409e321ed8c402bf76db171
SHA512 f4d676a1307f4c337bb10cf752ca8fd344ef1cdbcce34f55568e42bad819170d7f9d3e674a3525c20e8f2102869b6f04855ec315f95507bf3b463e39e4930abd

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8230283.exe

MD5 b51672878073dcf0ac0aac6c807a6dd5
SHA1 7576987f654020d367decfe2b80fdf3ca061e386
SHA256 6e98517d9c47c8f27c5f76e5011c0cb7db5462c6b89ebceb538f66e932c9636d
SHA512 989c045c057c8713d178e125816d697937dbaee2d1955fe40bc2b569c13cc78213c69267afa9e3cfbc00202367435d7adf1c46c8ec54506b3e8f706e5614ab12

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8230283.exe

MD5 b51672878073dcf0ac0aac6c807a6dd5
SHA1 7576987f654020d367decfe2b80fdf3ca061e386
SHA256 6e98517d9c47c8f27c5f76e5011c0cb7db5462c6b89ebceb538f66e932c9636d
SHA512 989c045c057c8713d178e125816d697937dbaee2d1955fe40bc2b569c13cc78213c69267afa9e3cfbc00202367435d7adf1c46c8ec54506b3e8f706e5614ab12

memory/628-39-0x0000000000400000-0x000000000040A000-memory.dmp

memory/628-40-0x0000000073830000-0x0000000073FE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9802418.exe

MD5 4d2cce930715eed874c2bcc0700f2c46
SHA1 6e7aab2147cca98737e8caf64f4fb91f7135c583
SHA256 589b93f4101ea3745fe78403e93661ab0550924aee4c984f6de2ada16bddd7be
SHA512 c0cf9071b8b64600a1ac6ec790ae2b942410fac96bea0da669b1b07b9f92589805d933707317a269c76d50d698b83ae7f596473fa75ea4298a8f9b53a093d3c7

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9802418.exe

MD5 4d2cce930715eed874c2bcc0700f2c46
SHA1 6e7aab2147cca98737e8caf64f4fb91f7135c583
SHA256 589b93f4101ea3745fe78403e93661ab0550924aee4c984f6de2ada16bddd7be
SHA512 c0cf9071b8b64600a1ac6ec790ae2b942410fac96bea0da669b1b07b9f92589805d933707317a269c76d50d698b83ae7f596473fa75ea4298a8f9b53a093d3c7

memory/5000-44-0x0000000000400000-0x0000000000428000-memory.dmp

memory/5000-45-0x0000000000400000-0x0000000000428000-memory.dmp

memory/5000-46-0x0000000000400000-0x0000000000428000-memory.dmp

memory/5000-48-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0268471.exe

MD5 3985cba32b5cb80274274f0a08528297
SHA1 1e9b4aaecafb9f8698c90d4488510faa7429a25f
SHA256 9d13d2bcd1cc8c74aaecc24408baa0547d8299ac3798f179ede5cedcf3003f97
SHA512 994626c33d28799e237b180d64f85708c113d08ac1ef7d39c544a2631ec324d56f79d526f04b463f138c81646a0127fea0ffe59b36f084bdebcd572f2b2f1148

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0268471.exe

MD5 3985cba32b5cb80274274f0a08528297
SHA1 1e9b4aaecafb9f8698c90d4488510faa7429a25f
SHA256 9d13d2bcd1cc8c74aaecc24408baa0547d8299ac3798f179ede5cedcf3003f97
SHA512 994626c33d28799e237b180d64f85708c113d08ac1ef7d39c544a2631ec324d56f79d526f04b463f138c81646a0127fea0ffe59b36f084bdebcd572f2b2f1148

memory/4856-52-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4856-53-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1327236.exe

MD5 ab718c8bfbcd5dbede203df896add877
SHA1 3b6e9f5bcef8099adfb5ecaeb153bdba66cdb62d
SHA256 80d19dc807692cc325d9381d278cf56a2377a84685635b302b56f9ba07be444d
SHA512 23fbbe5b50c60bb37bbb6874a98fbe0e1a5793dac1d5f44f40e424e44f872ed31b8b13bd9a51f6c349c54ff268bca77a3b1c308c055213c1234e1d6c7bcd0765

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1327236.exe

MD5 ab718c8bfbcd5dbede203df896add877
SHA1 3b6e9f5bcef8099adfb5ecaeb153bdba66cdb62d
SHA256 80d19dc807692cc325d9381d278cf56a2377a84685635b302b56f9ba07be444d
SHA512 23fbbe5b50c60bb37bbb6874a98fbe0e1a5793dac1d5f44f40e424e44f872ed31b8b13bd9a51f6c349c54ff268bca77a3b1c308c055213c1234e1d6c7bcd0765

memory/3980-57-0x00000000007A0000-0x00000000007D0000-memory.dmp

memory/3980-58-0x0000000073830000-0x0000000073FE0000-memory.dmp

memory/3980-59-0x0000000005800000-0x0000000005E18000-memory.dmp

memory/3980-60-0x0000000005330000-0x000000000543A000-memory.dmp

memory/3980-61-0x0000000005270000-0x0000000005282000-memory.dmp

memory/3980-62-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

memory/3980-63-0x00000000052D0000-0x000000000530C000-memory.dmp

memory/4684-64-0x0000000000400000-0x0000000000529000-memory.dmp

memory/4856-66-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3052-65-0x00000000028C0000-0x00000000028D6000-memory.dmp

memory/628-69-0x0000000073830000-0x0000000073FE0000-memory.dmp

memory/628-71-0x0000000073830000-0x0000000073FE0000-memory.dmp

memory/3980-72-0x0000000073830000-0x0000000073FE0000-memory.dmp

memory/3980-73-0x0000000004FD0000-0x0000000004FE0000-memory.dmp